A controlled, one-week red-team / blue-team engagement on an isolated enterprise lab network. Scenario client: SecureNet Inc. A live opposing red team. A full hardening-and-defense lifecycle, documented end to end.
The lab was controlled and the client is a scenario. The defensive work, the SIEM stack, the incident response, and the forensics are real.
| Duration | One week, end to end |
| Role | Incoming security consultant, blue team |
| Estate | 8 in-scope systems - a Windows domain, web and application servers, a SIEM, the perimeter firewall |
| Opposition | A live red team, attacking from kickoff with no preparation window |
| Result | 1 host compromised, 1 contained attempt, 6 systems with no exploitation |
Across a week of sustained attack, one host was genuinely compromised (a web-RCE reverse shell), detected and contained in roughly 55 minutes. One host saw web shells uploaded but never executed - a contained attempt. Six systems showed no exploitation, confirmed by an end-of-window forensic sweep. The one compromise is documented in full, and so is a forensic correction made when fuller analysis contradicted the first read. See Outcome and Forensics.
This repository is the engagement report. Read it in order, or jump to any section. Each page links to the next at its foot.
Report
- Executive Summary
- The Environment
- Initial State: Day One
- Engagement Timeline - the day-by-day walkthrough of the whole week
- Hardening: Firewall
- Hardening: Credentials and Active Directory
- Hardening: Per-Host
- Detection and Deception
- Monitoring and Response Stack
Incident reports
- SO-1: Shellshock Exploitation Attempt
- SO-2: Web RCE Compromise
- SO-3: OwnCloud GraphAPI Probe
- SO-4: HTTP Request Smuggling
- SO-5: Multi-Port Scan and RDP DoS
Closing and appendices
- Outcome and Forensics
- Recommendations
- Appendix A: Change Log
- Appendix B: Tools and Techniques
- Appendix C: MITRE ATT&CK Coverage
| Path | Contents |
|---|---|
detection/ |
The custom Sigma detection rule pack deployed in Security Onion |
automation/ |
The response-automation daemons - alert bridge, auto-block, auto-unblock, watchdog, uptime monitor - as clean reference implementations |
methodology/ |
The change-management and structured-remediation methods used during the engagement |
assets/ |
The topology diagram and the script that generates it; embedded screenshots |
- SIEM operations - Security Onion (Suricata, Zeek, Sigma, Elasticsearch and the Kibana Hunt interface)
- Detection engineering - a custom Sigma rule pack, MITRE ATT&CK mapped
- Network security - pfSense firewall hardening, segmentation, and alias-based blocking with a time-bounded auto-block pipeline
- Windows and Active Directory hardening - CIS benchmarks, krbtgt rotation, privilege-sprawl cleanup, AS-REP roasting mitigation
- Linux hardening - SSH, Samba, UFW, auditd, fail2ban
- Incident response and host forensics under live time pressure
- Disciplined change management - an append-only registry where every change carries a rollback and a re-apply command
Controlled lab exercise. SecureNet Inc. is a fictional scenario company. The lab uses private RFC1918 addressing throughout.